Workflow processes are complex activities involving the coordinated execution of several tasks by different executing agents, in order to reach a common objective. Workflow Management Systems (WfMSs) are software applications that support the specification, execution, and management of workflows. Workflow processes are inherently distributed, are cooperatively executed by a plurality of users and applications, and may span beyond organization boundaries.
Consequently, workflows are characterized by general security requirements of such kind of processes. Further, workflows present some peculiar security requirements that have to be considered, e.g., the assignment of tasks to agents (human or computer) in the system. The assignment of tasks is performed by the WfMS, (workflow management systems) according to properly defined models and rules. Properly defined rules are described in, for example, Bertino, E., et al., “A flexible model supporting the specification and enforcement of role-based authorizations in workflow management systems,” Proceedings of 2nd ACM Workshop on Role-Based Access Control, Santiago Chile, November 1997.
However, a role-based model alone is insufficient to meet all the authorization requirements of the organization. In particular, it is well known in the arts that such policies often demand capabilities for expressing and enforcing authorization constraints, e.g., separation of duties constraint, such as those which are described in Sandhu R., “Separation of duties in computerized information systems,” in S. Jojodia and C. Landwehr, editors, Database Security IV: Status and Prospects, North-Holland, 1991. Accordingly, more advanced role-based models are necessary, together with supporting technology, in order to enable the definition of authorization constraints in the WfMS, and to be able to implement the many different security policies of an organization.
A logic-based language for the specification and verification of authorization constraints in workflow systems, such as one described in (Bertino, 97, cited above) is used. Here, different types of constraints are introduced for workflows, based on a role-based access control model. Static, dynamic, and hybrid constraints are identified for consistency analysis purposes. Static constraints can be evaluated before workflow execution. Dynamic constraints can be evaluated only during workflow execution. Hybrid constraints are a combination of the two and can be partially evaluated without executing the workflow.
Access control models have been recently proposed specifically for workflows. For example, in Alturi V. et al., “An extended petri-net model for supporting workflows in a multilevel secure environment,” Proceedings of the 10th IFIP TC11/WG11.3 International Conference on Database Security, Como, Italy, September 1996, Chapman & Hall, one type of workflow authorization model is defined so that the authorization flow is synchronized with the activity flow. This model is based on the concept of “authorization template” associated with each workflow task, to grant authorizations to a task only when the task starts, and revoke them when it terminates. Temporal authorizations are defined that have a validity only within the expected duration of a certain task.
To better cope with workflow requirements, the capability of specifying and enforcing authorization constraints is required to specify several organizational security policies on task execution and assignment. This can include task-based authorization models and separation of duties in computerized systems, both defined in the context of distributed applications. With task-based authorizations, such as one described in Sandhu R., “Task-based authorizations: A paradigm for flexible and adaptable access control in distributed applications,” Proceedings of 16th NIST-NCSC National Computer Security Conference, Baltimore, Md., USA, 1993, authorizations are seen in terms of tasks rather than individual subject and objects. The concept of “authorization-task” is introduced as a unit to manage the authorizations in distributed applications, which can be refined into authorization-subtasks. The separation of duties constraint in computerized system, such as one described in Sandhu, R., 1991 (cited above), has been introduced where transactional control expressions have to enforce computerized controls analogous to the ones in manual, paper-based systems.
Although workflow management systems (WfMSs) have become very popular in recent years, and hundreds of commercial products presently exist on the market, it is only recently that the workflow community has started to address the problem of providing flexible authorization mechanisms. This is also motivated by the need for increased security imposed by cross-organizational interactions and by the use of workflows for supporting e-commerce transactions.
One product, such as IBM of Armonk, N.Y., USA product MQ Workflow as described in MQ Series Workflow—Concepts and Architectures, 1998, allows the definition of the binding of duties constraint: the executor of a task can be restricted to be the same executor of another task in the same case or to be the case initiator. Staffware2000, a product of Staffware Corporation of Maidenhead, Berkshire, United Kingdom which also enables the definition of the binding of duties constraint, although this must be statically defined, it holds for all instances, and cannot be defined in tasks that join flows from multiple tasks.
In addition, Staffware also allows the definition of authorizations that are valid only for a specified time period. Further, InConcert by InConcert Inc., a subsidiary of TIBCO Software Inc. headquartered in Palo Alto, Calif., allows, in addition to static binding of agents to tasks and of tasks to roles, the definition of external applications, that are invoked at task assignment time to determine the role to which the task should be assigned, as described in D. McCarthy et al., “Workflow and transactions in InConcert,” IEEE Data Engineering, 16(2):53–56, June 1993.
COSA by Baan Company of The Netherlands, and as described in the COSA Reference Manual, 1998, is a commercial WfMS that provides the greatest flexibility in defining authorization constraints and task assignment criteria. COSA allows the definition of agent groups and group hierarchies, analogous to the role/level hierarchies presented in this paper, where authorizations can be inherited along the hierarchies. With respect to authorization constraints, COSA provides a simple language that enables the definition of the binding and separation of duties constraints and of time-dependent authorizations.
Changengine, by Hewlett-Packard of Palo Alto, Calif., and as described in Changengine Process Design Guide 2000, and in Changengine Resource Management Guide, 2000, is the commercial product with the richest and most flexible resource model. Task assignments are specified by a resource rule, executed each time a task is scheduled by the system. The rule, written in a Changengine-specific language, may invoke one or more methods on several business objects that encode the logic for agent selection. Such business objects, called it resource agents may, for instance, query a database or a lightweight directory access protocol (LDAP) directory in order to select the appropriate agent.
The above approaches have several limitations. They are less powerful in the class of time-, instance-, and history-dependent constraints they can model, allowing only the definition of a few types of constraints. Furthermore, the above approaches do not allow the definition of constraints that depend on the state of several workflow instances, and are incapable of managing global constraints, e.g., constraints applied to every task or case (for instance, a business policy may require that no agent executes the same task more than twice, regardless of the specific task or workflow).
Additionally, external applications or agent expressions, defined in order to determine the set of authorized agents, have to be computed each time a task is activated, rather than each time an authorization is modified, with resulting performance disadvantages.
Thus exists a need for a method to define coupled task assignment criteria and authorization rules within a workflow. Particularly, a need exists for specifying temporal, instance-based, and history-based authorizations. An additional need exists to provide a uniform and simple mechanism for easily specifying the different types of constraints. A further need exists for developing a mechanism to pre-compute the set of agents authorized to execute the tasks, so as to accelerate the execution of the workflow.